NATO Rapid Reaction Team to fight cyber attack

Cyber warfare is war without any noise, tanks or aircraft. Currently, it is a profitable, relatively risk-free and anonymous crime. It is often difficult to identify the origin or perpetrators of the attack - and this is the main problem. In order to be more effective, all the parties involved must work together: NATO, the private sector, international organizations, academia. By the end of 2012, a rapid reaction team (RRT) capability of NATO cyber defence experts will be operational.

The technical centre of the NATO Computer Incident Response Capability (NCIRC) is the nerve centre of the Alliance's fight against cyber crime.

"The NCIRC is responsible for the cyber defence of all NATO sites, whether they are those of static HQs or HQs deployed for operations or exercises," says Ian West, NCIRC TC Director.

In the event of an attack against a NATO information system, the experts concerned meet immediately and draw up a plan of action. The aim is to restore the systems so that everything gets back to normal operation as quickly as possible.

Alex Vandurme is one of these experts. He is the head of the engineering section of the NCIRC. He holds a master's degree in information technology and has solid experience in the area of information security. His role at the NCIRC is to develop security guidelines and advise on how to protect NATO's computers and information networks and reduce their vulnerability. His job is to analyse digital artefacts and network traffic relating to the incident. This means determining as quickly as possible whether the incident has really occurred and what its impact is, find ways to limit the damage, and, if appropriate, identifying the source of compromise.

"Our greatest challenge is a bit like defending a skyscraper. We have to close each door and window, while hackers only need to find one open to get in. We have to think of everything, all the time - think like them and anticipate", says Alex Vandurme.

More sophisticated, more frequent attacks

More and more cyber attacks are happening in the world and they are becoming more sophisticated. Our interconnected societies depend on new technologies, and this makes them more vulnerable to attack.

Espionage, destruction, crime, and theft of military and industrial secrets are widespread. Attacks targeted at an organisation or country are motivated, developed and carried out by organised experts. It's a far cry from the original hackers who regarded attacks on systems as a recreational pastime.

The experience of the Stuxnet virus, which reportedly significantly impacted on Iran's nuclear programme in 2010, marked the transition from the cyber world to the physical world. Water, electricity, hospitals, as well as air security, defence and banking services - all these rely on information networks. So many sensitive sites which may cause harm to an organisation or a whole country.

"The number of cyber attacks is rising every day, whether they be against NATO systems or against the vital systems of our member nations. NATO must be able to offer cyber defence assistance to its members to help them guard against these attacks, to detect them, and - once they have happened - to react swiftly to limit the damage", says Jamie Shea, Deputy Assistant Secretary General for Emerging Security Challenges at NATO.

Rapid Reaction Team operational by end 2012

In 2011 NATO started to formulate a rapid reaction team concept for this purpose. "These cyber defence experts are responsible for assisting member states which ask for help in the event of an attack of national significance," Alex Vandurme explains. The creation of this team was a result of the NATO cyber defence policy, which was revised by defence ministers in June 2011. In future, additional efforts will be devoted to risk prevention and enhanced resilience.

"The types of cyber attacks experienced by Estonia and Georgia will become the most frequent form of cyber attack in the future. A mixture of protest, or traditional war, and a cybernetic element," Alex Vandurme continues. The rapid reaction teams must therefore by ready to act when assistance is requested. They should be operational by the end of 2012.

So far, a number of steps have already been taken, and the NCIRC should achieve full operational capability in early 2013. All the technical requirements have been identified and a call for bids has been launched. Cooperation arrangements are being developed, involving experts among whom there is mutual confidence and who come from the nations, from industry, from academia and from NATO. These arrangements will eventually open up access to specialised expertise in all areas of cyber security. The profiles of experts needed for assistance missions, specifying the areas of competence, are also being prepared.

"All the RRT procedures and possible actions are defined in a handbook which should be finished by summer 2012," says Alex Vandurme. "This manual also sets out the guidelines for NATO's response to its Allies and partners who request assistance in the protection of their information and communication systems".

An ad hoc working group has been set up to work on this handbook. It brings together national experts from Allied countries, including civil emergency planning experts.

"With the RRTs, NATO will be able to offer, upon request, professional and well-organised assistance to its members and partners, but principally to those countries which do not yet have the resources to set up cyber defence capabilities of this kind. It's a version of the military principle of mutual assistance and collective defence," Alex Vandurme continues.

Rapid Reaction Team profiles, training and equipment

The RRT capability will consist of a permanent core of six specialised experts who can coordinate and execute RRT missions. There will also be national or NATO experts in specific areas. Their numbers and profile will be determined on the basis of the mission to be carried out.

The RRTs will have all the equipment they need: IT and telecommunications equipment, such as satellite telephones, and equipment for digital evidence collection, cryptography, digital forensic analysis, vulnerability management, network security, etc.

"All these experts will be trained in NATO procedures and in the handling of the equipment," says Alex Vandurme., "They will also be involved in the Cyber Coalition exercise which we hold in November every year."

Activating a Rapid Reaction Team

Any NATO member nation suffering a significant cyber attack will be able to ask for NATO's help. The request will be considered by the Cyber Defence Management Board (CDMB). Requests for help which come from non-NATO countries will have to be endorsed by the North Atlantic Council.

"During the 2010 Cyber Coalition exercise, we practiced the consultation and decision-making mechanisms for the RRTs at CDMB-level. We learned lessons from this on improving our procedures. In November 2012, we will move on to phase two: testing the RRT intervention phase and, specifically, the usefulness of the handbook which has just been prepared."

Once activated, the RRTs will be able to respond within 24 hours of the incident.

"I enjoy this work. It's exciting and varied," Alex Vandurme concludes. "No two minutes are the same. It's a battle between experts. And it's also an honour to contribute to the creation of something from scratch - from political aspiration to practical implementation."

Video

Exercising together against cyber attacks20 Dec. 2011

A former hacker now working on cybersecurity29 Nov. 2011

NATO Chronicles: Fighting the Invisible Enemy 20 Sep. 2011

War in cyberspace24 Mar. 2009

Cyber conflicts - exploring the concept30 Jun. 2011

Rendez-Vous - Hacktivists or jihadists: the shape of threats to come?17 Aug. 2011